AI-assisted cloud intrusion achieves admin access in 8 minutes

Feb. 4, 2026, 8:51 p.m.

Description

An AWS environment was targeted in a sophisticated attack, with the threat actor gaining administrative privileges in under 10 minutes. The operation showed signs of leveraging large language models for automation and decision-making. Initial access was obtained through credentials found in public S3 buckets, followed by rapid privilege escalation via Lambda function code injection. The attacker moved laterally across 19 AWS principals, abused Amazon Bedrock for LLMjacking, and launched GPU instances for potential model training. The attack involved extensive reconnaissance, data exfiltration, and attempts to establish persistence. Notable techniques included IP rotation, role chaining, and the use of AI-generated code.

External References

https://www.sysdig.com/blog/ai-assisted-cloud-intrusion-achieves-admin-access-in-8-minutes
https://otx.alienvault.com/pulse/69836c62efca44252227678d
Tags
lateral movement
cloud security
privilege escalation
aws
2026-02-04
ai-assisted attack
gpu abuse
lambda injection
llmjacking

Date

  • Created: Feb. 4, 2026, 3:57 p.m.
  • Published: Feb. 4, 2026, 3:57 p.m.
  • Modified: Feb. 4, 2026, 8:51 p.m.

Indicators

  • 197.51.170.131
  • 152.58.47.83
  • 103.177.183.165
  • 194.127.167.92
Download all indicators here!

Attack Patterns